Well the clue seems to be in the name, it's got 'public_key' so that's a deliberate choice. The choice of word 'exposed' makes it sound like it wasn't meant to be seen, but I'm not so sure.<p>The issue is more likely the signature parameter, which does require a secret key, the documentation does not show it as required. Is that what the author is interpreting as "I noticed that for uploading an image you only need a public key."?<p>> signature<p>> string<p>> signature is a string sent along with your upload request. It requires your Uploadcare project Secret key and it should be generated on your back end. See Secure Uploads for details.<p>I looked at several uploadcare repos including Swift and Java, and I can see a signature being generated.